Ad-Hoc Access (formerly Secure Connect) provides the following features. Choose all that apply.

1. A. PSM connections to target devices that are not managed by CyberArk.
2. B. Session Recording.
3. C. Real-time live session monitoring.
4. D. PSM connections from a terminal without the need to login to the PVWA.

Correct Answer: ABC
Ad-Hoc Access (formerly Secure Connect) is a feature that allows users to connect to target devices that are not managed by CyberArk through the PSM. Users can specify the address, username, and password of the target device, and select a client to launch the connection. Ad-Hoc Access sessions benefit from the standard PSM features, such as session recording, detailed auditing, and real-time live session monitoring. However, Ad- Hoc Access does not allow users to connect from a terminal without logging in to the PVWA, as this would bypass the authentication and authorization mechanisms of CyberArk. References:
✑ Configure ad hoc connections
✑ Ad Hoc Connections
✑ Privileged Remote Access Management – PAM Remote Access

To enable the Automatic response “Add to Pending” within PTA when unmanaged credentials are found, what are the minimum permissions required by PTAUser for the PasswordManager_pending safe?

1. A. List Accounts, View Safe members, Add accounts (includes update properties), Update Account content, Update Account properties
2. B. List Accounts, Add accounts (includes update properties), Delete Accounts, Manage Safe
3. C. Add accounts (includes update properties), Update Account content, Update Account properties, View Audit
4. D. View Accounts, Update Account content, Update Account properties, Access Safe without confirmation, Manage Safe, View Audit

Correct Answer: A
To enable the automatic response “Add to Pending” within PTA when unmanaged credentials are found, the PTAUser needs to have the minimum permissions for the PasswordManager_pending safe as follows:
✑ List Accounts: This permission allows the PTAUser to view the accounts in the safe and their properties.
✑ View Safe members: This permission allows the PTAUser to view the members of the safe and their authorizations.
✑ Add accounts (includes update properties): This permission allows the PTAUser to add new accounts to the safe and update their properties, such as name, address, platform, and policy.
✑ Update Account content: This permission allows the PTAUser to update the password of the accounts in the safe.
✑ Update Account properties: This permission allows the PTAUser to update the properties of the existing accounts in the safe, such as name, address, platform, and policy.
These permissions are required for the PTAUser to be able to detect unmanaged privileged accounts and add them to the pending accounts queue in the PasswordManager_pending safe. The PTAUser also needs to have the same permissions for the PasswordManager_reconcile safe to enable the automatic response “Reconcile credentials” for suspicious password change events. References: Configure PTA Remediations, Safe Member Authorizations

For an account attached to a platform that requires Dual Control based on a Master Policy exception, how would you configure a group of users to access a password without approval.

1. A. Create an exception to the Master Policy to exclude the group from the workflow process.
2. B. Edith the master policy rule and modify the advanced’ Access safe without approval’ rule to include the group.
3. C. On the safe in which the account is stored grant the group the’ Access safe without audit’ authorization.
4. D. On the safe in which the account is stored grant the group the’ Access safe without confirmation’ authorization.

Correct Answer: D
Dual Control is a feature that requires the approval of another user before accessing a password. It is based on a Master Policy rule that applies to all accounts attached to platforms that have this rule enabled. However, there may be situations where a group of users needs to access a password without approval, such as in an emergency or for troubleshooting purposes. In this case, an exception can be made by granting the group the ‘Access safe without confirmation’ authorization on the safe in which the account is stored. This authorization bypasses the Dual Control workflow and allows the group to retrieve the password without waiting for approval. However, the password retrieval will still be audited and recorded in the Vault.

You need to recover an account localadmin02 for target server 10.0.123.73 stored in Safe Team1.
What do you need to recover and decrypt the object? (Choose three.)

1. A. Recovery Private Key
2. B. Recover.exe
3. C. Vault data
4. D. Recovery Public Key
5. E. Server Key
6. F. Master Password

Correct Answer: ABC
To recover and decrypt an account that is stored in a Safe, you need the following items:
✑ Recovery Private Key: This is a key that is used to decrypt the data stored in the Vault. It is located on the Master CD, which is a physical CD that contains the Private Recovery Key, a file named RecPrv.key.
✑ Recover.exe: This is a utility that is used to recover information from a Safe’s external files in case of loss or corruption of that Safe. The files are decrypted and saved as readable files. The utility can be run from the command line or the graphical user interface.
✑ Vault data: This is the data that is stored in the Vault, such as accounts, safes, platforms, policies, users, groups, and audit records. The Vault data is encrypted using the Recovery Public Key, which is a key that is used to encrypt the data stored in the Vault. The Vault data can be recovered from the Vault server disk drive or from a backup file.
References: Recover, Server keys, Export Vault Information

You want to build a connector that connects to a website through the Web applications for PSM framework.
Which default connector do you duplicate and modify?

1. A. PSM-ChromeSample
2. B. PSM-WebForm
3. C. PSM-WebApp
4. D. PSM-WebAppSample

Correct Answer: D
When building a connector to connect to a website through the Web applications for PSM framework, you would duplicate and modify the default connector PSM-WebAppSample. This sample connector serves as a template that can be customized to fit the specific requirements of the web application you are targeting. It provides a starting point with predefined settings that can be adjusted to create a new, functional connector for the desired web application12.
References:
✑ CyberArk Docs - Web applications for PSM2
✑ CyberArk Docs - Configure PSM to connect to Web applications1